npm - eslint-plugin-secure-coding - Versions diffs - 1.0.0 - Mend

eslint-plugin-secure-coding 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

package/src/rules/security/no-missing-csrf-protection.js ADDED Viewed

@@ -0,0 +1,183 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noMissingCsrfProtection = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Default CSRF middleware patterns
+ */
+const DEFAULT_CSRF_MIDDLEWARE_PATTERNS = [
+    'csrf',
+    'csurf',
+    'csrfProtection',
+    'verifyCsrfToken',
+    'csrfToken',
+    'validateCsrf',
+    'checkCsrf',
+    'csrfMiddleware',
+];
+/**
+ * Default HTTP methods that require CSRF protection
+ */
+const DEFAULT_PROTECTED_METHODS = ['post', 'put', 'delete', 'patch'];
+/**
+ * Check if a route handler method requires CSRF protection
+ */
+function requiresCsrfProtection(methodName, protectedMethods) {
+    return protectedMethods.some(method => method.toLowerCase() === methodName.toLowerCase());
+}
+/**
+ * Check if a string matches any ignore pattern
+ */
+function matchesIgnorePattern(text, patterns) {
+    return patterns.some(pattern => {
+        try {
+            const regex = new RegExp(pattern, 'i');
+            return regex.test(text);
+        }
+        catch {
+            return text.toLowerCase().includes(pattern.toLowerCase());
+        }
+    });
+}
+exports.noMissingCsrfProtection = (0, eslint_devkit_2.createRule)({
+    name: 'no-missing-csrf-protection',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects missing CSRF token validation in POST/PUT/DELETE requests',
+        },
+        hasSuggestions: true,
+        messages: {
+            missingCsrfProtection: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Missing CSRF Protection',
+                cwe: 'CWE-352',
+                description: 'Missing CSRF protection detected: {{issue}}',
+                severity: 'HIGH',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/352.html',
+            }),
+            addCsrfValidation: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Add CSRF Validation',
+                description: 'Add CSRF middleware',
+                severity: 'LOW',
+                fix: 'app.use(csrf({ cookie: true }))',
+                documentationLink: 'https://github.com/expressjs/csurf',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow missing CSRF protection in test files',
+                    },
+                    csrfMiddlewarePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'CSRF middleware patterns to recognize',
+                    },
+                    protectedMethods: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'HTTP methods that require CSRF protection',
+                    },
+                    ignorePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional safe patterns to ignore',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInTests: false,
+            csrfMiddlewarePatterns: [],
+            protectedMethods: [],
+            ignorePatterns: [],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowInTests = false, csrfMiddlewarePatterns, protectedMethods: customProtectedMethods, ignorePatterns = [], } = options;
+        const csrfPatterns = csrfMiddlewarePatterns && csrfMiddlewarePatterns.length > 0
+            ? csrfMiddlewarePatterns
+            : DEFAULT_CSRF_MIDDLEWARE_PATTERNS;
+        const protectedMethods = customProtectedMethods && customProtectedMethods.length > 0
+            ? customProtectedMethods
+            : DEFAULT_PROTECTED_METHODS;
+        const filename = context.getFilename();
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        const sourceCode = context.sourceCode || context.sourceCode;
+        function checkCallExpression(node) {
+            if (isTestFile) {
+                return;
+            }
+            const callee = node.callee;
+            const callText = sourceCode.getText(node);
+            // Check if it matches any ignore pattern
+            if (matchesIgnorePattern(callText, ignorePatterns)) {
+                return;
+            }
+            // Check for route handler methods (app.post, router.put, etc.)
+            if (callee.type === 'MemberExpression' && callee.property.type === 'Identifier') {
+                const methodName = callee.property.name;
+                // Only check if it's a route handler that requires CSRF
+                if (requiresCsrfProtection(methodName, protectedMethods)) {
+                    // Must have at least 2 arguments (path and handler)
+                    if (node.arguments.length < 2) {
+                        return;
+                    }
+                    // Check if CSRF middleware is in the route chain arguments
+                    let hasCsrfInChain = false;
+                    // Check if any argument (after the first path argument) is a CSRF middleware
+                    // Skip the first argument (path) and check the rest
+                    for (let i = 1; i < node.arguments.length; i++) {
+                        const arg = node.arguments[i];
+                        const argText = sourceCode.getText(arg);
+                        if (csrfPatterns.some(pattern => argText.toLowerCase().includes(pattern.toLowerCase()))) {
+                            hasCsrfInChain = true;
+                            break;
+                        }
+                    }
+                    if (!hasCsrfInChain) {
+                        context.report({
+                            node,
+                            messageId: 'missingCsrfProtection',
+                            data: {
+                                issue: `${methodName.toUpperCase()} route handler missing CSRF protection`,
+                                safeAlternative: `Add CSRF middleware: app.${methodName}("/path", csrf(), handler) or use app.use(csrf()) globally`,
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'addCsrfValidation',
+                                    fix(fixer) {
+                                        // Add CSRF middleware after the first argument (path)
+                                        const firstArg = node.arguments[0];
+                                        if (firstArg) {
+                                            return fixer.insertTextAfter(firstArg, ', csrf()');
+                                        }
+                                        return null;
+                                    },
+                                },
+                            ],
+                        });
+                    }
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});
+//# sourceMappingURL=no-missing-csrf-protection.js.map

package/src/rules/security/no-missing-csrf-protection.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"no-missing-csrf-protection.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-missing-csrf-protection.ts"],"names":[],"mappings":";;;AASA,4DAA0E;AAC1E,4DAAsD;AAoBtD;;GAEG;AACH,MAAM,gCAAgC,GAAG;IACvC,MAAM;IACN,OAAO;IACP,gBAAgB;IAChB,iBAAiB;IACjB,WAAW;IACX,cAAc;IACd,WAAW;IACX,gBAAgB;CACjB,CAAC;AAEF;;GAEG;AACH,MAAM,yBAAyB,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;AAErE;;GAEG;AACH,SAAS,sBAAsB,CAC7B,UAAkB,EAClB,gBAA0B;IAE1B,OAAO,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,UAAU,CAAC,WAAW,EAAE,CAAC,CAAC;AAC5F,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,IAAY,EAAE,QAAkB;IAC5D,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QAC7B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YACvC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAEY,QAAA,uBAAuB,GAAG,IAAA,0BAAU,EAA0B;IACzE,IAAI,EAAE,4BAA4B;IAClC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,mEAAmE;SACjF;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,qBAAqB,EAAE,IAAA,gCAAgB,EAAC;gBACtC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,yBAAyB;gBACpC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,6CAA6C;gBAC1D,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,qBAAqB;gBAC1B,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,iBAAiB,EAAE,IAAA,gCAAgB,EAAC;gBAClC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,qBAAqB;gBAChC,WAAW,EAAE,qBAAqB;gBAClC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,iCAAiC;gBACtC,iBAAiB,EAAE,oCAAoC;aACxD,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,YAAY,EAAE;wBACZ,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,6CAA6C;qBAC3D;oBACD,sBAAsB,EAAE;wBACtB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,uCAAuC;qBACrD;oBACD,gBAAgB,EAAE;wBAChB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,2CAA2C;qBACzD;oBACD,cAAc,EAAE;wBACd,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,oCAAoC;qBAClD;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,YAAY,EAAE,KAAK;YACnB,sBAAsB,EAAE,EAAE;YAC1B,gBAAgB,EAAE,EAAE;YACpB,cAAc,EAAE,EAAE;SACnB;KACF;IACD,MAAM,CACJ,OAAsD,EACtD,CAAC,OAAO,GAAG,EAAE,CAAC;QAEd,MAAM,EACJ,YAAY,GAAG,KAAK,EACpB,sBAAsB,EACtB,gBAAgB,EAAE,sBAAsB,EACxC,cAAc,GAAG,EAAE,GACpB,GAAG,OAAkB,CAAC;QAEvB,MAAM,YAAY,GAAG,sBAAsB,IAAI,sBAAsB,CAAC,MAAM,GAAG,CAAC;YAC9E,CAAC,CAAC,sBAAsB;YACxB,CAAC,CAAC,gCAAgC,CAAC;QAErC,MAAM,gBAAgB,GAAG,sBAAsB,IAAI,sBAAsB,CAAC,MAAM,GAAG,CAAC;YAClF,CAAC,CAAC,sBAAsB;YACxB,CAAC,CAAC,yBAAyB,CAAC;QAE9B,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,UAAU,GAAG,YAAY,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACpF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAE5D,SAAS,mBAAmB,CAAC,IAA6B;YACxD,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC3B,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAE1C,yCAAyC;YACzC,IAAI,oBAAoB,CAAC,QAAQ,EAAE,cAAc,CAAC,EAAE,CAAC;gBACnD,OAAO;YACT,CAAC;YAED,+DAA+D;YAC/D,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAChF,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAExC,wDAAwD;gBACxD,IAAI,sBAAsB,CAAC,UAAU,EAAE,gBAAgB,CAAC,EAAE,CAAC;oBACzD,oDAAoD;oBACpD,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC9B,OAAO;oBACT,CAAC;oBAED,2DAA2D;oBAC3D,IAAI,cAAc,GAAG,KAAK,CAAC;oBAE3B,6EAA6E;oBAC7E,oDAAoD;oBACpD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;wBAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;wBAC9B,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;wBACxC,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;4BACxF,cAAc,GAAG,IAAI,CAAC;4BACtB,MAAM;wBACR,CAAC;oBACH,CAAC;oBAED,IAAI,CAAC,cAAc,EAAE,CAAC;wBACpB,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,uBAAuB;4BAClC,IAAI,EAAE;gCACJ,KAAK,EAAE,GAAG,UAAU,CAAC,WAAW,EAAE,wCAAwC;gCAC1E,eAAe,EAAE,4BAA4B,UAAU,4DAA4D;6BACpH;4BACD,OAAO,EAAE;gCACP;oCACE,SAAS,EAAE,mBAAmB;oCAC9B,GAAG,CAAC,KAAyB;wCAC3B,sDAAsD;wCACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;wCACnC,IAAI,QAAQ,EAAE,CAAC;4CACb,OAAO,KAAK,CAAC,eAAe,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;wCACrD,CAAC;wCACD,OAAO,IAAI,CAAC;oCACd,CAAC;iCACF;6BACF;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,cAAc,EAAE,mBAAmB;SACpC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-missing-security-headers.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export interface Options {
+    /** Required security headers. Default: ['Content-Security-Policy', 'X-Frame-Options', 'X-Content-Type-Options'] */
+    requiredHeaders?: string[];
+    /** Ignore in test files. Default: true */
+    ignoreInTests?: boolean;
+}
+export declare const noMissingSecurityHeaders: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/security/no-missing-security-headers.js ADDED Viewed

@@ -0,0 +1,217 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noMissingSecurityHeaders = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const DEFAULT_REQUIRED_HEADERS = [
+    'Content-Security-Policy',
+    'X-Frame-Options',
+    'X-Content-Type-Options',
+];
+/**
+ * Extract header name from setHeader call
+ */
+function extractHeaderName(node) {
+    if (node.arguments.length > 0 && node.arguments[0].type === 'Literal') {
+        return String(node.arguments[0].value);
+    }
+    return null;
+}
+/**
+ * Check if all security headers are set in the current scope
+ */
+function checkFunctionForSecurityHeaders(node, requiredHeaders, context) {
+    const setHeaders = new Set();
+    // Find the function that contains this setHeader call
+    let current = node;
+    let scopeNode = null;
+    while (current) {
+        if (current.type === 'FunctionDeclaration' ||
+            current.type === 'FunctionExpression' ||
+            current.type === 'ArrowFunctionExpression') {
+            scopeNode = current;
+            break;
+        }
+        current = current.parent ?? null;
+    }
+    // If no function found, use the program scope (for test cases)
+    if (!scopeNode) {
+        scopeNode = context.sourceCode.ast;
+    }
+    // Collect all setHeader calls in this scope
+    function collectHeaders(node) {
+        if (node.type === 'CallExpression' &&
+            node.callee.type === 'MemberExpression' &&
+            node.callee.property.type === 'Identifier' &&
+            ['setHeader', 'header', 'set'].includes(node.callee.property.name)) {
+            const headerName = extractHeaderName(node);
+            if (headerName) {
+                setHeaders.add(headerName);
+            }
+        }
+        // Recursively check children - only traverse standard AST properties
+        if (node.type === 'Program' && node.body) {
+            node.body.forEach(collectHeaders);
+        }
+        else if ((node.type === 'FunctionDeclaration' ||
+            node.type === 'FunctionExpression' ||
+            node.type === 'ArrowFunctionExpression') && node.body) {
+            collectHeaders(node.body);
+        }
+        else if (node.type === 'BlockStatement' && node.body) {
+            node.body.forEach(collectHeaders);
+        }
+        else if (node.type === 'ExpressionStatement' && node.expression) {
+            collectHeaders(node.expression);
+        }
+    }
+    if (scopeNode) {
+        collectHeaders(scopeNode);
+    }
+    // Return missing headers
+    return requiredHeaders.filter(header => !setHeaders.has(header));
+}
+exports.noMissingSecurityHeaders = (0, eslint_devkit_2.createRule)({
+    name: 'no-missing-security-headers',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects missing security headers in HTTP responses',
+        },
+        hasSuggestions: true,
+        messages: {
+            missingSecurityHeader: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Missing security headers',
+                cwe: 'CWE-693',
+                description: 'Missing security headers: {{headers}}',
+                severity: 'HIGH',
+                fix: 'Set security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options',
+                documentationLink: 'https://owasp.org/www-project-secure-headers/',
+            }),
+            addSecurityHeaders: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Add Security Headers',
+                description: 'Add security headers middleware',
+                severity: 'LOW',
+                fix: 'Add Content-Security-Policy, X-Frame-Options headers',
+                documentationLink: 'https://owasp.org/www-project-secure-headers/',
+            }),
+            useMiddleware: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Helmet',
+                description: 'Use helmet.js for security headers',
+                severity: 'LOW',
+                fix: 'app.use(helmet())',
+                documentationLink: 'https://helmetjs.github.io/',
+            }),
+            setHeader: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Set Headers',
+                description: 'Set security headers manually',
+                severity: 'LOW',
+                fix: 'res.setHeader("X-Frame-Options", "DENY")',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    requiredHeaders: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: DEFAULT_REQUIRED_HEADERS,
+                    },
+                    ignoreInTests: {
+                        type: 'boolean',
+                        default: true,
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            requiredHeaders: DEFAULT_REQUIRED_HEADERS,
+            ignoreInTests: true,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { requiredHeaders = DEFAULT_REQUIRED_HEADERS, ignoreInTests = true, } = options || {};
+        const filename = context.getFilename();
+        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        if (isTestFile) {
+            return {};
+        }
+        const reportedScopes = new Set();
+        /**
+         * Get a unique key for the current scope
+         */
+        function getScopeKey(node) {
+            // Find the function that contains this call
+            let current = node;
+            while (current) {
+                if (current.type === 'FunctionDeclaration' ||
+                    current.type === 'FunctionExpression' ||
+                    current.type === 'ArrowFunctionExpression') {
+                    return `${current.range?.[0]}-${current.range?.[1]}`;
+                }
+                current = current.parent ?? null;
+            }
+            // If no function found, use program scope
+            return 'program';
+        }
+        /**
+         * Check for response header setting
+         */
+        function checkCallExpression(node) {
+            // Check for res.setHeader, res.header, res.set
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property.type === 'Identifier') {
+                const methodName = node.callee.property.name;
+                if (['setHeader', 'header', 'set'].includes(methodName)) {
+                    const scopeKey = getScopeKey(node);
+                    // Only check once per scope
+                    if (reportedScopes.has(scopeKey)) {
+                        return;
+                    }
+                    const missing = checkFunctionForSecurityHeaders(node, requiredHeaders, context);
+                    if (missing.length > 0) {
+                        reportedScopes.add(scopeKey);
+                        context.report({
+                            node,
+                            messageId: 'missingSecurityHeader',
+                            data: {
+                                headers: missing.join(', '),
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'addSecurityHeaders',
+                                    fix: () => null,
+                                },
+                                {
+                                    messageId: 'useMiddleware',
+                                    fix: () => null,
+                                },
+                                {
+                                    messageId: 'setHeader',
+                                    fix: () => null,
+                                },
+                            ],
+                        });
+                    }
+                    else {
+                        // Mark as checked even if no error
+                        reportedScopes.add(scopeKey);
+                    }
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});
+//# sourceMappingURL=no-missing-security-headers.js.map

package/src/rules/security/no-missing-security-headers.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"no-missing-security-headers.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-missing-security-headers.ts"],"names":[],"mappings":";;;AASA,4DAA0E;AAC1E,4DAAsD;AAkBtD,MAAM,wBAAwB,GAAG;IAC/B,yBAAyB;IACzB,iBAAiB;IACjB,wBAAwB;CACzB,CAAC;AAEF;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAA6B;IACtD,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACtE,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,+BAA+B,CACtC,IAA6B,EAC7B,eAAyB,EACzB,OAAsD;IAEtD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IAErC,sDAAsD;IACtD,IAAI,OAAO,GAAyB,IAAI,CAAC;IACzC,IAAI,SAAS,GAAyB,IAAI,CAAC;IAE3C,OAAO,OAAO,EAAE,CAAC;QACf,IAAI,OAAO,CAAC,IAAI,KAAK,qBAAqB;YACtC,OAAO,CAAC,IAAI,KAAK,oBAAoB;YACrC,OAAO,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;YAC/C,SAAS,GAAG,OAAO,CAAC;YACpB,MAAM;QACR,CAAC;QACD,OAAO,GAAI,OAAsD,CAAC,MAAM,IAAI,IAAI,CAAC;IACnF,CAAC;IAED,+DAA+D;IAC/D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;IACrC,CAAC;IAED,4CAA4C;IAC5C,SAAS,cAAc,CAAC,IAAmB;QACzC,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB;YAC9B,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;YACvC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;YAC1C,CAAC,WAAW,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACvE,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAC3C,IAAI,UAAU,EAAE,CAAC;gBACf,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACzC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QACpC,CAAC;aAAM,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,qBAAqB;YACnC,IAAI,CAAC,IAAI,KAAK,oBAAoB;YAClC,IAAI,CAAC,IAAI,KAAK,yBAAyB,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YAClE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACvD,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QACpC,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,KAAK,qBAAqB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAClE,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,IAAI,SAAS,EAAE,CAAC;QACd,cAAc,CAAC,SAAS,CAAC,CAAC;IAC5B,CAAC;IAED,yBAAyB;IACzB,OAAO,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;AACnE,CAAC;AAEY,QAAA,wBAAwB,GAAG,IAAA,0BAAU,EAA0B;IAC1E,IAAI,EAAE,6BAA6B;IACnC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,oDAAoD;SAClE;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,qBAAqB,EAAE,IAAA,gCAAgB,EAAC;gBACtC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,0BAA0B;gBACrC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,uCAAuC;gBACpD,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,wFAAwF;gBAC7F,iBAAiB,EAAE,+CAA+C;aACnE,CAAC;YACF,kBAAkB,EAAE,IAAA,gCAAgB,EAAC;gBACnC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,sBAAsB;gBACjC,WAAW,EAAE,iCAAiC;gBAC9C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,sDAAsD;gBAC3D,iBAAiB,EAAE,+CAA+C;aACnE,CAAC;YACF,aAAa,EAAE,IAAA,gCAAgB,EAAC;gBAC9B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,YAAY;gBACvB,WAAW,EAAE,oCAAoC;gBACjD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,mBAAmB;gBACxB,iBAAiB,EAAE,6BAA6B;aACjD,CAAC;YACF,SAAS,EAAE,IAAA,gCAAgB,EAAC;gBAC1B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,aAAa;gBACxB,WAAW,EAAE,+BAA+B;gBAC5C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,0CAA0C;gBAC/C,iBAAiB,EAAE,2DAA2D;aAC/E,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,eAAe,EAAE;wBACf,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,wBAAwB;qBAClC;oBACD,aAAa,EAAE;wBACb,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;qBACd;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,eAAe,EAAE,wBAAwB;YACzC,aAAa,EAAE,IAAI;SACpB;KACF;IACD,MAAM,CAAC,OAAsD,EAAE,CAAC,OAAO,GAAG,EAAE,CAAC;QAC3E,MAAM,EACV,eAAe,GAAG,wBAAwB,EACpC,aAAa,GAAG,IAAI,GAEzB,GAAY,OAAO,IAAI,EAAE,CAAC;QAEvB,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,UAAU,GAAG,aAAa,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAErF,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;QAEzC;;WAEG;QACH,SAAS,WAAW,CAAC,IAA6B;YAChD,4CAA4C;YAC5C,IAAI,OAAO,GAAyB,IAAI,CAAC;YACzC,OAAO,OAAO,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,IAAI,KAAK,qBAAqB;oBACtC,OAAO,CAAC,IAAI,KAAK,oBAAoB;oBACrC,OAAO,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;oBAC/C,OAAO,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvD,CAAC;gBACD,OAAO,GAAI,OAAsD,CAAC,MAAM,IAAI,IAAI,CAAC;YACnF,CAAC;YACD,0CAA0C;YAC1C,OAAO,SAAS,CAAC;QACnB,CAAC;QAED;;WAEG;QACH,SAAS,mBAAmB,CAAC,IAA6B;YACxD,+CAA+C;YAC/C,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBACvC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAE7C,IAAI,CAAC,WAAW,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;oBACxD,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;oBAEnC,4BAA4B;oBAC5B,IAAI,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;wBACjC,OAAO;oBACT,CAAC;oBAED,MAAM,OAAO,GAAG,+BAA+B,CAAC,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;oBAEhF,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBACvB,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;wBAC7B,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,uBAAuB;4BAClC,IAAI,EAAE;gCACJ,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;6BAC5B;4BACD,OAAO,EAAE;gCACP;oCACE,SAAS,EAAE,oBAAoB;oCAC/B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;iCAChB;gCACD;oCACE,SAAS,EAAE,eAAe;oCAC1B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;iCAChB;gCACD;oCACE,SAAS,EAAE,WAAW;oCACtB,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;iCAChB;6BACF;yBACF,CAAC,CAAC;oBACL,CAAC;yBAAM,CAAC;wBACN,mCAAmC;wBACnC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,cAAc,EAAE,mBAAmB;SACpC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-privilege-escalation.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+export interface Options {
+    /** Allow privilege escalation patterns in test files. Default: false */
+    allowInTests?: boolean;
+    /** Test file pattern regex string. Default: '\\.(test|spec)\\.(ts|tsx|js|jsx)$' */
+    testFilePattern?: string;
+    /** Role check patterns to recognize. Default: ['hasRole', 'checkRole', 'isAdmin', 'isAuthorized'] */
+    roleCheckPatterns?: string[];
+    /** User input patterns that should be validated. Default: ['req.body', 'req.query', 'req.params'] */
+    userInputPatterns?: string[];
+    /** Additional patterns to ignore. Default: [] */
+    ignorePatterns?: string[];
+}
+export declare const noPrivilegeEscalation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;